Since the release of the App Store in 2008, Apple have sought to differentiate the iPhone as an impenetrable, safe device available only to apps that have been vigorously reviewed and approved in accordance with the company’s policies and standards. However, this image has been severely tarnished in recent weeks following the discovery that tech giants Facebook and Google had been using apps authorized by Apple’s Enterprise Certificate program to monitor and collect customer device data. This has opened up a much wider investigation into Apple’s Enterprise Certificate program and how rigidly its standards and entry requirements are enforced. Just this week it was discovered that app developers have been using the relatively straightforward process of signing up to the iOs enterprise apps program to circumvent the restrictions of the App Store in order distribute pornography and gambling apps and to offer alternatives to popular legitimate apps such as Spotify and Minecraft. So iPhones may not be as safe or impossible to corrupt as Apple want you to believe – but how exactly is this the case?
Apple Enterprise Developer Program
Apple’s Enterprise Developer Program offers companies the opportunity to create and distribute apps internally to their employees to assist with their work or improve their workplace experience. For example many companies use workplace chat or lunchtime menu apps exclusive to employees. The program permits companies to develop and distribute apps without the need to go through the official App Store channel, as long as usage is restricted to internal employees only. Just last month however it was discovered that Facebook, and later Google, were violating the terms of the program by offering customers payment in return for downloading an app and allowing the companies to monitor and collect extensive data related to their phone and web activity. Apple issued a statement confirming that by using their membership of the Enterprise Developer Program to distribute data-collecting apps to customers, both Facebook and Google had violated the terms of the program and would have their certificates revoked. As a result, following several days of chaos in Facebook and Google HQs when all internal apps were temporarily deactivated, the offending research apps were shut down,. However it is the aftermath of this discovery that is having the greatest impact on both Apple’s program and the world of cyber-security.
Pornography and gambling apps
Just last week it was discovered that Facebook and Google were far from the only app developers openly abusing Apple’s Enterprise Developer program. An investigation by TechCrunch uncovered more than a dozen hardcore pornography and real-money gambling apps developed under the Apple program and available for download independently of the App Store. It seems that as a result of the relatively lax screening process of the enterprise program, developers were easily able to circumvent the official app store and flout Apple’s content restrictions and policies. TechCrunch discovered that for an app developer to enter the enterprise program, they simply needed to fill out an online form pledging that they would develop apps for internal employee-use only, provide the D-U-N-S number registered to a business which could easily be found via Google and a tool provided by Apple, and pay a fee of $299. Following this, the developers were just required to reconfirm their commitment over the phone to limit apps to employee use and just like that, were approved for the program. Last week, using a standard un-jailbroken iPhone, TechCrunch were able to download at least 12 apps offering streaming or pay-per-view hardcore pornography and 12 gambling apps allowing users to deposit, win and withdraw real money, activities that would clearly breach Apple’s family-friendly app standards and be prohibited from the App Store. The enterprise certificates used to develop these apps and side-step the App Store were rarely registered to company names related to their true purpose, proving how simple it is to take advantage of the enterprise program with just a couple of lies. Many of the apps were registered under innocuous, vague names such as ‘Interprener’ and ‘AsianLiveTech’, while others seemed to have stolen the credentials of unrelated, legitimate organizations, such as the ‘Dragon Gaming’ app registered to US gravel supplier CSL-LOMA or pornography app ‘AVBobo’ using the name of the unrelated Fresno-based company Chaney Cabinet & Furniture Co.
Hacked versions of legitimate apps
To add to this, it was also discovered by Reuters last week that pirate software developers such as TutuApp and TweakBox have been using Apple’s enterprise certificates to distribute modified versions of popular iOS apps to iPhone users. The investigation found alternative versions of apps such as Spotify, Angry Birds, Pokemon Go and Minecraft offering the same services as the original apps but without the regular ads, fees or rules, depriving both Apple and the legitimate app makers of revenue. It was confirmed that these illegitimate apps were available for sideloading onto iOS devices and used the same methods as the pornography and gambling apps to deceive the enterprise program and circumvent the App Store. Following the discovery, several pirate developers were banned from the system; however, within days new certificates had been issued and these same apps were found to be operational again.
Implications for business
So what do these discoveries mean for organizations and individual iPhone users? Apple have always described their software as designed with ‘security at its core’, making it extremely difficult for malware or hackers to penetrate, while the App Store has always been known for its strict rules on app content. This image has suffered a major blow following these revelations. The ease with which app developers have been able to violate the terms of the enterprise program and distribute apps that directly breach the terms of the App Store have highlighted flaws in the way Apple verify and monitor the distribution of iOS apps. This could create huge problems for company policies that ban the download of gambling or pornography content on work devices if employees are able to sideload these alternative apps. And while there has been little to indicate that any of these imitation apps contain malicious content or breach user privacy, sideloading apps from unofficial sources is always risky, especially for devices that may store or access sensitive, corporate data. Allowing employees access to these illicit apps could have serious consequences for businesses and it seems that trusting Apple to restrict their distribution will no longer suffice.
Ultimately the lesson of this episode is that organizations cannot simply outsource mobile security to the platform owners. Solutions such as Corrata Security and Control add layers of defense which will protect when the native security controls of mobile OS’s are breached. Corrata, for example, uses its unique granular visibility and control over device activity to block access to unofficial app stores and enforce compliance with corporate acceptable use policies. Organizations can have the peace of mind that employees will be protected from malicious content, even when app store vetting processes breakdown.